gsutil and gcloud storage #1889
Description
I’ve been testing uploads using service accounts with minimal permissions (only storage.objects.create for upload-only scenarios). Here’s what I observed:
Using gsutil cp, I am able to upload objects without needing storage.objects.get or storage.objects.list permissions.
Using gcloud storage cp, even with composite uploads and resumable uploads disabled, I still get a 403 error because it requires storage.objects.get and storage.buckets.get permissions.
For security reasons, I prefer workflows where a service account can upload objects without granting extra read/list access, as is possible with gsutil.
My questions are:
Is there a plan for gsutil to be fully deprecated in the future and replaced by gcloud storage?
Given the differences in permissions behavior, what is the recommended approach for upload-only. I need a standalone cli like gsutil so that user does not need to install to upload files.
Any advice on best practices to continue using minimal-permission uploads while preparing for the transition to gcloud storage?
Thanks in advance for guidance